The Cyberwar Surge

Cyberwar – attacking an enemy to destroy or capture its governmental and industrial functions by inserting manipulative software – was once the province of amateur hackers. But for almost a decade, it has been used by nations as a new and primary weapon. About two years ago, a cyberwar attack – probably launched from China – penetrated the Army’s Pentagon e-mail system.

The “Stuxnet” computer worm discovered in Siemens computer and machinery control systems in Iran is one of two things. Either it is a surge in cyberwar, akin to the surge of troops into the war in Afghanistan, or it is an advance in the methods and means of cyberwar which will make it more damaging and deadly, like the advancement from muzzle-loading muskets to breech-loading rifles.

In fact, it may be both. According to several news reports and the experts I conferred with, Stuxnet was apparently discovered about two months ago by a computer security expert in Belarus when it had already infected the Iranian system he was supposed to protect. It may have been designed to attack the Iranian nuclear program sites, ranging from the power plant at Bushehr to the uranium enrichment facility at Qom.

Whatever it is designed to attack and destroy, Stuxnet is apparently one of the most advanced cyberwar weapons ever devised.

Stuxnet is crafted to penetrate the Siemens SCADA computer security system. It is based, in part, on four new Microsoft vulnerabilities which can be exploited – i.e., attacked and either controlled or destroyed – immediately. And it is, like the best of the cyberwar weapons, crafted to hide from detection and defensive computer software.

When a computer system is penetrated, even before it is compromised, the security systems embedded in the software are supposed to detect and isolate the penetration to prevent damage. If damage is done, the protection system is supposed to run what is, in effect, a triage of the protected system. But Stuxnet, according to one expert, is written to avoid detection in a more sophisticated and subtle way than almost any other previously-detected cyberwar weapon. That expert also told me that several Siemens systems have been compromised.

One press report speculates that it was designed to destroy or take over the computer systems running the Iranian nuclear program, most of which depends on Siemans control systems.

Many countries, especially China (which has an enormous cyberwar program, mainly located in Guangdong province) are investing heavily in it. In a highly controversial 2002 book entitled “Unrestricted Warfare”, two active duty Peoples Liberation Army colonels wrote that technology used to change the methods of warfare but cyberwar changes the form of war fundamentally.

According to the Pentagon’s 2007 Report on Chinese Military Power, “In 2005, the PLA began to incorporate offensive [Computer Network Operations] into its exercises, primarily in first strikes against enemy networks.”

Chinese military doctrine now includes what they call “assassin’s mace” (sha shou jian) programs which are asymmetric warfare strategies devised to take advantage of Chinese advantages in technology against vulnerabilities of potential adversaries. Cyberwar is first among equals among the assassin’s mace programs.

The United States is heavily invested in cyberwar, as are Israel, Russia, India and others. But we have no doctrine for offensive use. In fact, our military and intelligence leaders haven’t yet agreed on a definition of cyberwar: when is a cyber attack an act of war?

They should ask the Estonian governments. Russia’s attack on Estonia in 2007 extended over three weeks and effectively stopped the Estonian government from functioning for large portions of time.

So what is Stuxnet? It is a weapon, who’s we don’t know, that is highly effective and portable. One report says it can be loaded into a portable USB “thumb drive” and delivered directly. Another quotes two computer security engineers: “’After 10 years of reverse-engineering malware daily, I have never ever seen anything that comes even close to this’, and from another ‘This is what nation states build, if their only other option would be to go to war’.” It is tightly framed around the Siemens system, and could be crafted specifically to disable or damage Iranian nuclear computer networks and controls.

Though we have made considerable gains in cyberdefense since 9-11, our utilities, our government’s non-defense computer networks and many industry networks are inadequately defended. Business leaders need to take this threat more seriously. In government circles, we need more definition of the task and operational doctrine, and leadership to ensure both defensive and offensive capabilities.

Every civilian and government computer network can become part of the modern battlefield if an adversary – be it a nation-state or a terrorist group – penetrates it with something like the Stuxnet worm.